[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
So far, the only clue I can find in the logs is a 'null' value for authType and principal: [ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: authType: null [ajp-nio-127.0.0.1-8009-exec-1] INFO com.netscape.cms.tomcat.ExternalAuthenticationValve - ExternalAuthenticationValve: principal: null -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: Confirmed Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
Strange. I am able to execute 'pki cert-find' without error. $ pki cert-find SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-jdk14.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/usr/share/java/slf4j-simple.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.JDK14LoggerFactory] 13 entries found ... Is there some other stage you think may be responsible for the error? I can dig into the Java layer if you have any hypotheses that lead there... -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: Confirmed Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1772450] Re: freeipa server -- problems with certificates
I would like to help debug this. Like gianluca, I've managed to sort out the other bugs and am hitting this certificate issue. Where can I find the Git repository for 4.7.0-pre2? The associated repos only seem to contain 4.7.0-pre1 https://code.launchpad.net/ubuntu/+source/freeipa/+git -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1772450 Title: freeipa server -- problems with certificates Status in freeipa package in Ubuntu: New Bug description: After having installed FreeIPA server on Ubuntu 18.04 and having sorted out all the other bugs, I still have problems with certificates. In the web interface, every attempt to select the "Authentication -> Certificates" tab ends with the following error IPA Error 4301: CertificateOperationError Certificate operation cannot be completed: Unable to communicate with CMS (Start tag expected, '<' not found, line 1, column 1) The problem also occur with command line utilities. For example, 'ipa cert-show 1' returns the error: 'ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1772450/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1769440] Re: freeipa server install fails - Configuring the web interface, setting up ssl
Is there a recommended workaround? For example, install without DNS support and use a separate bind installation? -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1769440 Title: freeipa server install fails - Configuring the web interface, setting up ssl Status in freeipa package in Ubuntu: Confirmed Bug description: Setting up FreeIPA server fails at "Configuring the web interface", step 12/21 It's in a cleanly started LXC Ubuntu Bionic container. The ppa:freeipa/ppa is also used to get tomcat 8.5.30-1ubuntu1.2 Configuring the web interface (httpd) [1/21]: stopping httpd [2/21]: backing up ssl.conf [3/21]: disabling nss.conf [4/21]: configuring mod_ssl certificate paths [5/21]: setting mod_ssl protocol list to TLSv1.0 - TLSv1.2 [6/21]: configuring mod_ssl log directory [7/21]: disabling mod_ssl OCSP [8/21]: adding URL rewriting rules [9/21]: configuring httpd [10/21]: setting up httpd keytab [11/21]: configuring Gssproxy [12/21]: setting up ssl [error] RuntimeError: Certificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORCertificate issuance failed (CA_REJECTED) ipapython.admintool: ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information and in the log there is 2018-05-05T20:37:29Z DEBUG stderr= 2018-05-05T20:37:29Z DEBUG step duration: httpd configure_gssproxy 1.09 sec 2018-05-05T20:37:29Z DEBUG [12/21]: setting up ssl 2018-05-05T20:37:33Z DEBUG certmonger request is in state dbus.String(u'GENERATING_KEY_PAIR', variant_level=1) 2018-05-05T20:37:38Z DEBUG certmonger request is in state dbus.String(u'CA_REJECTED', variant_level=1) 2018-05-05T20:37:42Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 555, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/dist-packages/ipaserver/install/service.py", line 541, in run_step method() File "/usr/lib/python2.7/dist-packages/ipaserver/install/httpinstance.py", line 376, in __setup_ssl passwd_fname=key_passwd_file File "/usr/lib/python2.7/dist-packages/ipalib/install/certmonger.py", line 320, in request_and_wait_for_cert raise RuntimeError("Certificate issuance failed ({})".format(state)) RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG [error] RuntimeError: Certificate issuance failed (CA_REJECTED) 2018-05-05T20:37:42Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 174, in exec ute ... To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1769440/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1653245] Re: python-ipalib is missing authconfig
Timo, can you post a link to the Git repository that hosts the patch? Apologies if I've missed it. I know of these: * https://anonscm.debian.org/git/pkg-freeipa/freeipa.git * https://launchpad.net/freeipa Much appreciated! -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1653245 Title: python-ipalib is missing authconfig Status in freeipa package in Ubuntu: Fix Committed Bug description: When doing ipa-backup it will eventually want to do a backup of authconfig. This is a RedHat specific tool, but there is no Ubuntu/Debian replacement. ipa-backup will fail with a Python stack trace. 2016-12-30T10:36:02Z DEBUG Starting external process 2016-12-30T10:36:02Z DEBUG args=/usr/sbin/authconfig --savebackup /var/lib/ipa/auth_backup 2016-12-30T10:36:02Z DEBUG Process execution failed 2016-12-30T10:36:02Z DEBUG File "/usr/lib/python2.7/dist-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/dist-packages/ipaserver/install/ipa_backup.py", line 310, in run tasks.backup_auth_configuration(auth_backup_path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/tasks.py", line 195, in backup_auth_configuration auth_config.backup(path) File "/usr/lib/python2.7/dist-packages/ipaplatform/redhat/authconfig.py", line 91, in backup ipautil.run(["/usr/sbin/authconfig", "--savebackup", path]) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 423, in run preexec_fn=preexec_fn) File "/usr/lib/python2.7/subprocess.py", line 711, in __init__ errread, errwrite) File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child raise child_exception 2016-12-30T10:36:02Z DEBUG The ipa-backup command failed, exception: OSError: [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR [Errno 2] No such file or directory 2016-12-30T10:36:02Z ERROR The ipa-backup command failed. See /var/log/ipabackup.log for more information To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1653245/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp